How a SaaS company migrated from VMware to OpenStack and got FedRAMP High authorization
Most enterprises have been using traditional virtualization from VMware, but many find that it’s not viable for rapid growth due to high costs. In this blog, we will describe how Mirantis Professional Services helped a fast-growing SaaS company migrate 3,000 VMs from VMware to OpenStack private clouds, achieve FedRAMP High certification and rapidly expand worldwide. We’ll chronicle their journey through all their important milestones, from their architecture design and deployment of an OpenStack pilot to subsequent FedRAMP focused customizations, Authorization to Operate (ATO) and beyond.
Architecture Design Assessment
It was the SaaS company’s first time working with OpenStack and with Mirantis, so they were eager to begin an Architecture Design Assessment (ADA) to see what Mirantis would propose. Typically three weeks long, a Mirantis ADA delivers a complete, vendor-neutral architecture design proposal, tuned to customers’ unique business conditions, requirements, workloads, users and cost structure.
To kick it off, Mirantis system and network architects led an onsite workshop over three days with the customer’s cloud team and key stakeholders to discuss their business drivers, constraints and requirements. Their immediate goal was to migrate 3,000 VMs from VMware on bare metal to an OpenStack based, self-service staging cloud for their development and QA teams. They needed to cut costs, improve performance, and increase scalability to support rapid growth. The company serves many federal governments around the world, and they also discussed their future goal to build a 200+ node production cloud with FIPS 140-2 and FedRAMP High compliance, including IPsec encryption for all traffic in motion and at rest.
After two weeks, Mirantis architects created a recommended cloud design for a Minimum Viable Product (MVP), including compute, storage, and networking hardware and software, advanced authentication design, operational and risk assessments, and a recommended bill of materials with the customer’s preferred Hyperconverged Infrastructure (HCI). Mirantis also delivered a 20-page Cloud Passport with all the information needed to deploy the on-premises staging cloud environment.
By the end of the ADA, the customer was impressed by Mirantis’ deep expertise and thorough architectural plan, which showed that Mirantis fully understood their requirements. They appreciated Mirantis’ willingness to accommodate their needs and felt confident to move forward with a pilot deployment.
Pilot deployment with custom integrations
A week after the ADA, Mirantis got the green light to deploy a 40-node pilot. A Mirantis deployment engineer collaborated with the customer’s data center technicians to complete Mirantis’ deployment readiness checklist, covering compute, network, and storage configurations, resource availability, authentication settings, and other prerequisites. When everything was ready, the deployment engineer installed Mirantis OpenStack for Kubernetes (MOSK) and provisioned the pilot environment, following the hardened configuration specified in the Cloud Passport. Mirantis engineers also optimized the cloud with custom integrations for single sign on (SSO), load balancing-as-a-service (LBaaS), and DNS-as-a-service (DNSaaS).
A Mirantis QA engineer then completed an exhaustive cloud verification test plan with more than 100 points of inspection to ensure proper configuration, conformance, functionality, and performance. Individualized tests for the SSO, LBaaS, and DNSaaS customizations were included. The QA engineer delivered a comprehensive test report, which reassured the customer’s technical staff and business stakeholders of the cluster’s readiness and the high quality of Mirantis’ work. Once the cloud had a clean bill of health, Mirantis QA handed the cloud over to the customer and Mirantis technical support, making sure the transition was as painless as possible.
The entire preparation, deployment, customization, and verification process took a little over a month. Meanwhile, the customer’s data center staff also completed both general OpenStack and product-specific Mirantis OpenStack for Kubernetes courses from Mirantis Training so they would be ready to maintain the cluster.
Workload migration and production deployment
Now that the pilot cloud was ready, workload migration could begin. Mirantis architects developed an end-to-end strategy to prepare, plan, execute and validate the migration. First, they led a workshop with the customer to inventory and classify workloads based on topology, resource requirements, components, and other factors. Next, they developed a step-by-step CI/CD based migration plan for pilot workloads, implemented the necessary automations and corporate service integrations, and tested the code against the workloads. Finally, the customer migrated the pilot workloads from VMware, with technical assistance from Mirantis to help validate that they were running smoothly in the new environment.
After successfully migrating pilot workloads to the pilot cloud, the customer felt confident to begin deploying production clouds and migrating the remaining workloads. In the next few months, they migrated 3,000 VMs from VMware to OpenStack, enabling the customer to save more than 60% in cloud costs. Besides cost savings, the customer also gained much greater flexibility and extensibility than they had with VMware to finetune the infrastructure for their needs. Time savings were also signficant: deployments that used to take 3 months with VMware now could be done in as little as one week with Mirantis, including QA and handover.
For production, the customer wanted Mirantis to handle all the operations and upgraded to OpsCare Plus managed services. Within the next 12 months, the company quickly scaled out with more than a dozen production clusters around the world.
FedRAMP solution design and pilot deployment
The customer’s next initiative with Mirantis was to design and deploy FedRAMP High compliant on-premises cloud infrastructure on a tight timeline of only 6 months, with many new features to be delivered in only 3 months’ time. FedRAMP is a federal program that standardizes security authorizations for cloud services, making it easier for federal agencies to transition to modern, cloud-based IT. FedRAMP High authorization is required for government systems that process the most sensitive, unclassified data, such as for law enforcement, finance, or healthcare.
To accelerate FedRAMP feature readiness, the customer engaged a Mirantis DevOps engineering subscription so that a dedicated team of Mirantis engineers could build and extend their OpenStack cloud environments full time. FedRAMP High has the greatest level of technical difficulty, with more than 400 security control baselines. The Mirantis DevOps engineers worked closely with Mirantis product engineers to advocate for the customer’s needs and add dozens of new product features and integrations, including a FIPS compliant host operating system, data encryption for block and object storage, Trusted Platform Module-based secure booting, automated key rotation, IPsec encryption for all traffic in motion and at rest, etc. Several of these became part of the core product offering for Mirantis OpenStack for Kubernetes.
Mirantis DevOps engineers also worked with the Mirantis Director of Security to determine what else would be needed besides product features and integrations. Piloting the FedRAMP compliant cloud involved not only making the machines and software compliant, but also piloting a new process for resolving any issues that came up in vulnerability scans, for example. Mirantis QA also customized their cloud verification test plan to include FedRAMP related tests. After successfully provisioning the pilot cloud, Mirantis helped onboard and validate pilot workloads.
The customer found great value in having full-time Mirantis DevOps expertise dedicated to their needs, enabling them to meet aggressive timelines and fulfill a long list of difficult technical requirements. They were excited to progress quickly towards FedRAMP High certification, a strategic goal they had been planning for years.
Production deployment for FedRAMP compliance audit
After the successful FedRAMP pilot, Mirantis deployed a production cloud for the official compliance audit. The customer secured an agency sponsor and hired a third-party assessment organization (3PAO) to provide a Security Assessment Report, which involved review and validation of their Security Assessment Plan, interviews with control owners, site inspections, penetration testing, and more. Mirantis assisted throughout the process by answering questions and providing audit evidence as needed. Scan results were shared with the Mirantis product team, who used the information to make the core product more FedRAMP compliant.
When the report was finalized, the customer submitted it to their agency sponsor and the FedRAMP Project Management Office (PMO) for review, along with supporting materials. Months later, the customer received FedRAMP High Authorization to Operate (ATO), enabling them to significantly expand their business with federal customers.
Dedicated DevOps expertise
While preparing for FedRAMP compliance, the customer became huge fans of the Mirantis DevOps subscription, which enabled them to greatly accelerate their business use case. Today, they continue to augment their own technical staff with full-time Mirantis DevOps engineers in their own time zone. They provide ongoing performance tuning and optimization, with the flexibility to accommodate a wide range of requests, such as evaluating and implementing ideas for new features, scaling out deployments, performing upgrades and more.
The Mirantis DevOps engineers have become intimately familiar with the customer’s needs and serve as immediately available points of contact with a vested interest in the customer’s success. Because the DevOps engineers are a permanent resource, the customer no longer needs to go through a lengthy approval process to have the engineers begin work on additional projects. The customer has experienced exponential growth since partnering with Mirantis, and dedicated DevOps expertise from Mirantis has enabled them to quickly deploy new sites and implement new use cases to keep up with customer demand.
The customer has very bright and motivated technical staff who are always coming up with new ideas for cloud optimization, so the Mirantis DevOps subscription truly enables them to get as much value as possible from their OpenStack cloud investments.
Come talk to us
The Mirantis Professional Services team would love to help accelerate your business use case. Contact us today to find out how our highly specialized expert staff and broad range of service offerings can help you reach your business goals.